Rather than new types of fraud, what we’re seeing in the banking sector is a step change in how adaptable, realistic and efficient existing attack patterns have become. Bots can learn, adapt and personalise continuously once they’re interacting with live systems – and the implications for customer exposure are serious.
In card-not-present and 3D secure environments, there has been significant growth in social engineering and bank identification number-level attacks. Criminals are now using methods to beat banks’ own authentication protocols, and the way they’re being executed has become far more sophisticated and co-ordinated.
On the digital access side, there is clear and concerning growth in bot-driven and bot-assisted behaviour around login and account creation. These aren’t simple scripted attacks anymore. Traditional identifiers are being spoofed much more accurately, and in many cases the behaviour being presented is increasingly human-like.
The dynamic attacks we’re tracking begin by probing a bank’s authentication or transaction controls and observing live feedback – a successful login here, a flagged payment there. This allows attackers to map out which defences are weakest or most predictable, then focus on those vulnerabilities with targeted follow-ups.
Automation amplifies this by enabling attackers to collect vast amounts of personal or contextual information at scale and craft hyper-targeted strikes on specific customers, rather than running broad, generic campaigns. By constantly tweaking signals such as device fingerprints or timing patterns, they can quietly slip past rule-based detectors.
And most worryingly is that advanced AI agents are now replicating subtle human behaviours, such as irregular typing speeds and mouse movements, making it increasingly difficult for banks to distinguish between bots and real customers.
Reporting gets harder
Just like us, these machines are learning through each interaction. And because they are acting at scale, their ability to improve becomes exponentially greater.
The numbers bear this out. Deloitte’s Center for Financial Services predicts that generative AI could see fraud losses reaching US$40-billion in the United States alone by 2027 – a compound annual growth rate of 32%. Despite this, nearly half of US organisations still depend on human reviews and manual checks. Banks simply cannot manage the volume of AI-driven attacks using manual validation.
Read: Sim crime goes industrial as fraudsters target South Africa’s digital economy
The sophistication of these attacks has also made fraud reporting more complex. Some attacks impact account balances in real time, triggering alerts and customer reports within minutes. Others are far more subtle – an account might be compromised and controlled for weeks or months before any money is moved. The time between initial compromise and reported fraud can vary enormously.
To their credit, banks have invested significantly in sophisticated tooling, anomaly detection and mitigations, and there has been real industry-wide progress. But gaps in fraud detection often arise from isolated data and signals across systems, frequently due to regulatory, privacy or architectural constraints. This hinders the unified view of attacks spanning channels and time that is needed to stay ahead.
This fragmentation extends across institutions. Mule activity and compromised identities do not respect bank boundaries.
AI proves useful in fighting the growing sophistication of dynamic fraud — itself now driven by advances in AI. Explainable models, rapid pattern detection via generative tools and dynamic intelligence sharing make AI essential for trusted, adaptive defences that go beyond basic risk scores.
The role of the chief information security officer is becoming more complex. Not only has it become harder for them to trust the raw signals they’re using to assess risk, but attacks now rarely start and end in a single system. They often begin outside the institution and move across channels, partners and platforms.
Building resilience means improving how intelligence is shared across both upstream and downstream systems – incident information, behavioural insights and signal quality improvements flowing across internal and external boundaries.
Relying solely on fixed rules or static mitigations is no longer viable. Systems need to support dynamic scoring, contextual risk conditions and rapid feedback loops so that insights from one part of the ecosystem can inform defences everywhere else.
The shift required is fundamental: away from reacting to individual fraud events, and towards building adaptive, resilient systems that can keep pace as threats evolve. Unless banks share incident information, deepen behavioural insight and deploy AI-driven defences, customer exposure to fraud will rapidly increase.
Get breaking news from TechCentral on WhatsApp. Sign up here.